James McGovern is an industry thought leader whose focus is on the human aspects of technology around open source, SOA, software security, enterprise architecture and agile software development.

The opinions expressed herein may or may not represent my own personal opinions and definitively do not represent my employer's view in any way...

Tuesday, December 26, 2006

Ruby on Rails and Security

Citizen Duck made an interesting statement around Ruby on Rails that I felt needed amplification...

Below is his comment:

RoR is lacking too much of the needed security features in an enterprise environment and is not ready for mission-critical applications. There is no integration of external authorization engines, no integration of groupware systems or the active directory, no support of LDAP. There is no real security model at all. You have to develop many security functions on your own which makes RoR very unproductive when compared to Java EE or .NET.

This is the first time that I have seen a blogger who likes Ruby on Rails talk about all aspects of productivity. Anyway, instead of throwing daggers, I wonder if the better call to action would be for me as Mr. Enterprisey to help the Ruby community become more secure?

What if I were to make a public committment to contribute that allowed Ruby on Rails to bind to LDAP and Active Directory, would I still be called enterprisey? What if I were to leverage the fact that lots of closed source vendors want my dollars and if I were to ask them to say contribute XACML support, how would the community perceive it? What if I were to take this one step further and not only ask Kim Cameron but his bosses at Microsoft to contribute support for WS-Federation and Cardspace, would they still rebel against the machine?

Taking this one step further, what if Mark Dixon and Pat Patterson pressured other developers from Sun to contribute support for SAML along with giving Ruby a proper way of interacting with Web Services, would they to be embraced or ignored? I wonder if anyone has asked the assistance of folks over at Fortify Software?

I wonder if the Ruby community understands the basic principles of marketing? What if I at least agreed to filling out all that wonderful paperwork (remember us enterprisey folks are good at this) required by industry analyst firms such as Gartner and Forrester to show that Ruby on Rails is truly enterprise ready and worthy of some coverage? Enterprises have access to a lot more capital and talent which is what Ruby needs to take it to the next level. Maybe, if you simply asked in a polite way, you might find lots of assistance in reaching your goals and may even realize that enterprisey folks aren't evil after all...